I despise, despise, Homebrew's "we know better than you" approach to always installing the latest versions of every dependency. How tf is this fine? They don't even offer alternative. They just say "we can't test all of the packages installed and all version combinations, so this is the best we can do". Well, no one asked you to test my exact setup. All I'm asking for is: if I have perfectly working Node 18 and I need to install fcking Shopify CLI, don't fcking install Node 19 and break my whole setup! Tf?!
> I despise, despise, Homebrew's "we know better than you" approach to always installing the latest versions of every dependency
I love it. I'm using a desktop, not a server. I specifically want my dependencies to be always up to date
> All I'm asking for is: if I have perfectly working Node 18 and I need to install fcking Shopify CLI, don't fcking install Node 19 and break my whole setup! Tf?!
Then install nvm. Nvm will always be latest, the Homebrew packages will always depend on the latest node version, and locally you'll depend on your own node version that you installed with nvm.
If you have project dependencies, Homebrew's not a good fit for that—but, crucially, that's far from just being a problem with Homebrew, it's true of most (not all, but most) system package managers.
Using a tool-specific system (e.g. nvm), or Docker, or a VM, is far better for reproducibility. Homebrew's better for installing things you're going to use directly, yourself. Like, don't use it to install Postgres system-wide if you need it for some rails "app"—you'll just run into pain the first time you have to git-bisect or go back and fix some older deployed branch and that version was running on some earlier version of Postgres, or the first time you want to work on a second project that relies on a different version.
That's not just a Homebrew thing, the same problem applies, to, say, Debian and dpkg—don't use those to install project deps, unless you're very sure those deps will always be "whatever's available from Debian today".
Homebrew's great for installing your tools. It's not good for project deps. Again, that's far from being just a Homebrew problem.
I've been using Nix (and, occasionally, MacPorts) instead of Homebrew for a few years now. Works great, and doesn't have that particular issue. If Nix seems like a bridge too far, the Devenv project offers some nice, lightweight porcelain atop the raw Nix experience.
That's a Node problem. They make semver-major breaks on a regular schedule, which is a flabbergasting policy. Besides, you're still in trouble even if you don't upgrade, because then your JS deps will eventually start breaking from a too-old Node. And if you don't upgrade deps, you risk vulnerabilities, and you won't know which one of the 20 "critical" npm reports are ReDoS spam, and which one are actually important.
Homebrew’s dependency resolution was a complete joke the last time I checked it out, but they were completely happy with the laughable results so I won’t be surprised if it hasn’t changed.
Essentially it did all dependency resolution at build time (because brew used to have no prebuilt binaries and everyone’s workstation would spend 90 minutes compiling the same things over and over again). But when they added binary distribution they didn’t change the dependency resolution to work like eg deb’s or rpm’s do.
It used to be that if you told it to install from source it would thus be able to “detect” your local existing package that provides the dependency. It may just take a while depending on what you’re installing.
You can specify specific package versions in brew if you want specific versions pinned.
The default behaviour of using the latest in repo is correct and is how every package manager works. It’s the behaviour people expect and it’s the behaviour that is arguably more secure (the fact that homebrew is bleeding edge does create issues here but generally speaking my point stands).
I believe you pin using the @ symbol followed by a version number. Eg brew install awesome-project@13.0
This is not at all how every package manager works. On debian if you install a package it will just install that package and it will warn you if dependencies will require upgrading first. It won't upgrade totally unrelated packages and break everything for you. In addition, you have different branches where the debian stable branch is extremely well tested.
Homebrew is way, way worse than any other package manager because it just breaks stuff all the time.
Brew follows a rolling-release style, it behaves the same way the Arch Linux package manager does. In Arch users are discouraged from upgrading specific packages instead of everything as a whole.
That said, the docs say that running "brew upgrade <package>" will only upgrade that specific package. Of course, if that package relies on new versions of dependencies, they will get updated too, and in turn this will update any packages that also depend on it, creating a chain of updates. But there's an option to see what will happen: "brew upgrade --dry-run <package>".
> This is not at all how every package manager works. On debian if you install a package it will just install that package and it will warn you if dependencies will require upgrading first. It won't upgrade totally unrelated packages and break everything for you.
What you're arguing about now is just that Homebrew doesn't give you a prompt. Which is a fair criticism but it doesn't really change much because if you need that other package that depends on the latest version of node, then all the prompting in the world isn't going to change the fact that you are still going to need to install that updated version.
But, as I'd mentioned before, `brew` does let you install specific versions of software too. So it's a bit of a moot point about whether you get upgraded or not since, in this circumstance, you can have your proverbial cake and eat it (ie both versions installed).
> In addition, you have different branches where the debian stable branch is extremely well tested.
Debian isn't bleeding edge and nor is it rolling release. Arch is a better comparison and people frequently complain about updates breaking things on that too (even though that does have a testing branch). To be clear, I love Arch. It is by far and away my favourite Linux and a large part of that is because of it's package management. But no system is perfect.
> Homebrew is way, way worse than any other package manager because it just breaks stuff all the time.
I agree Homebrew has it's warts. I just disagree with this particular complaint. I think Homebrew is doing the right thing here.
If you want to complain about how it has to operate outside of the core OS because it's a 3rd party tool, or its overuse of beer jargon as cute substitutes for the more recognisable package management terminologies then I'm 100% behind you. But to complain that it's keeping your system up-to-date when you haven't asked for a package to be version pinned feels more than a little unfair.
But the shopify cli, the given example, does depend on nodejs. If you tell Debian's apt to install a package that depends on a newer version of an installed package, it'll update that package for you as well.
If Debian stable updates their nodejs package to 19 and you install any package that depends on nodejs, expect to get the nodejs 19 update.
The difference here is that Debian pins versions of software per release so you won't run into these situations. That's fine if you're willing to deal with running older software maintained by Debian rather than the original developers, but that's just a choice.
From what I can tell, Homebrew acts more like pacman and friends; it expects you to stay up to date, and if you don't it's up to you to fix the problem.
> On debian if you install a package it will just install that package and it will warn you if dependencies will require upgrading first. It won't upgrade totally unrelated packages and break everything for you
This is exactly how Homebrew works, too. The difference is that Debian won’t ship a new version outside of a major release so if you started with Node 18 you won’t get 19 until next year.
Now, of course, developers usually don’t like that so there are non-core repositories which update more frequently … and you get exactly the behavior which Homebrew has. Being oriented at developers just means Homebrew does that by default.
> Homebrew is way, way worse than any other package manager because it just breaks stuff all the time.
I hear this a lot, but as a 12+ year user of Homebrew it simply does not match my experience, other than for Python which is in and of itself fundamentally broken regardless of where you get it from. Indeed, I’ve spent far longer screwing about trying to get up-to-date dependencies on recent Ubuntu releases than thinking about it.
I wanted to love Nix, and still use it sometimes, but it is unfortunately not very friendly to arbitrary package version selection. Asdf for the worse-is-better win!
You could always manage your packages and their dependencies yourself.
Or you could release a new package manager which does provide support for that functionality, build out a team of maintainers, and stay on top of all the releases
It's really not. It's borderline impossible (pun intended) to start your own country, mainly because you need to find a piece of land first. Starting a package manager is, like, a few months of work?
